Open Stack

On Wed, Nov 18, 2015 at 9:48 AM, Ruby Loo <rlooyahoo at gmail.com> wrote:

> Hi,
>
> I think we all agree that it isn't OK to log credentials (like passwords)
> in DEBUG logs. However, what about other information that might be
> sensitive? A patch was recently submitted to log (in debug) the SWIFT
> temporary URL [1]. I agree that it would be useful for debugging, but since
> that temporary URL could be used (by someone that has access to the logs
> but no admin access to ironic/glance) eg for fetching private images, is it
> OK?
>
> Even though we say that debug shouldn't be used in production, we can't
> enforce what folks choose to do. And we know of at least one company that
> runs their production environment with the debug setting. Which isn't to
> say we shouldn't put things in debug, but I think it would be useful to
> have some guidelines as to what we can safely expose or not.
>
> I took a quick look at the security web page [2] but nothing jumped out at
> me wrt this issue.
>
> Thoughts?
>
> --ruby
>
> [1] https://review.openstack.org/#/c/243141/
> [2] https://security.openstack.org
>
>
In this context, the URL is a time-limited access code being used in place
of a password or keystone auth token to allow an unprivileged client
temporary access to a specific privileged resource, without granting that
client access to any other resources. In some cases, that resource might be
a public Glance image and so one might say, "oh, it's not _that_
sensitive". However, the same module being affected by [1] is also used by
the iLO driver to upload a temporary image containing sensitive
instance-specific data.

I agree that it's not the same risk as exposing a password, but I still
consider this an access token, and therefore don't think it should be
written to log files, even at DEBUG.

-Deva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151118/025f60d1/attachment.html>